diff options
| -rw-r--r-- | .github/workflows/repo-sync.yml | 1 | ||||
| -rw-r--r-- | krebs/3modules/external/default.nix | 2 | ||||
| -rw-r--r-- | krebs/3modules/external/mic92.nix | 29 | ||||
| -rw-r--r-- | krebs/3modules/lass/default.nix | 3 | ||||
| -rw-r--r-- | krebs/5pkgs/override/default.nix | 3 | ||||
| -rw-r--r-- | krebs/5pkgs/simple/cyberlocker-tools/default.nix | 23 | ||||
| -rw-r--r-- | krebs/5pkgs/simple/htgen-cyberlocker/default.nix | 29 | ||||
| -rw-r--r-- | krebs/5pkgs/simple/htgen-cyberlocker/src/htgen-cyberlocker | 76 | ||||
| -rw-r--r-- | krebs/nixpkgs-unstable.json | 8 | ||||
| -rw-r--r-- | krebs/nixpkgs.json | 8 | ||||
| -rw-r--r-- | lass/1systems/prism/config.nix | 57 | ||||
| -rw-r--r-- | lass/1systems/yellow/config.nix | 2 | ||||
| -rw-r--r-- | lass/2configs/paste.nix | 42 |
13 files changed, 271 insertions, 12 deletions
diff --git a/.github/workflows/repo-sync.yml b/.github/workflows/repo-sync.yml index 4284463f9..b4c91299f 100644 --- a/.github/workflows/repo-sync.yml +++ b/.github/workflows/repo-sync.yml @@ -5,6 +5,7 @@ on: jobs: repo-sync: + if: github.repository_owner == 'Mic92' runs-on: ubuntu-latest steps: - uses: actions/checkout@v2 diff --git a/krebs/3modules/external/default.nix b/krebs/3modules/external/default.nix index 75be58326..29c0d34f0 100644 --- a/krebs/3modules/external/default.nix +++ b/krebs/3modules/external/default.nix @@ -639,7 +639,7 @@ in { nets = { retiolum = { ip4.addr = "10.243.13.12"; - aliases = [ "catalonia.r" ]; + aliases = [ "catalonia.r" "aleph.r" ]; tinc.pubkey = '' -----BEGIN RSA PUBLIC KEY----- MIICCgKCAgEAug+nej8/spuRHdzcfBYAuzUVoiq4YufmJqXSshvgf4aqjeVEt91Y diff --git a/krebs/3modules/external/mic92.nix b/krebs/3modules/external/mic92.nix index bbefb8ed8..3ef693290 100644 --- a/krebs/3modules/external/mic92.nix +++ b/krebs/3modules/external/mic92.nix @@ -334,6 +334,26 @@ in { ''; }; }; + yasmin = { + owner = config.krebs.users.mic92; + nets.retiolum = { + ip4.addr = "10.243.29.197"; + aliases = [ + "yasmin.r" + ]; + tinc.pubkey = '' + -----BEGIN RSA PUBLIC KEY----- + MIIBCgKCAQEAnQ6HGgUPVQbDIsLZAawZu4vK9yHF02aDrIWU9SdzpAddhM8yqWeC + f55W6zyjZuoQ2w4UNthDl6gjQM6A9B+nEMRNz3Rnhp57Lyi0a6HZHF2Eok9vJBiu + IRbVUxPpPKOGE09w0m5cLOfDfaZVdAT+80lQYoaasDr2VlRJNa2/arzaq847/SVg + vaf4gOmE+iIK+4ZDHqLcTn1WD6jy+aMChZU/zI31vZ8vM4oPuGh1xbcB3wKP3Vf3 + OTqpGN86CdrdBahJkzNJzIXYsPsRaZ2+8dWTH9gJjI0z+yywQQCrrh9K/oJtDUHF + BwmNc150BoSLqwduSWLtBonCa9p2/y/TDQIDAQAB + -----END RSA PUBLIC KEY----- + Ed25519PublicKey = ZQt/OcrDlQZvtJyMEFcS6FKjtumBA9gBWr7VqGdbJBP + ''; + }; + }; martha = { owner = config.krebs.users.mic92; nets = rec { @@ -389,6 +409,7 @@ in { nCShp7V+MSmz4DnLK1HLksLVLmGyZmouGsLjYUnEa414EI6NJF3bfEO2ZRGaswyR /vW066YCTe7wi+YrvrMDgkdbyfn/ecMTn2iXsTb4k9/fuO0+hsqL+isCAwEAAQ== -----END RSA PUBLIC KEY----- + Ed25519PublicKey = 1wPa2cmQ4FUFw9289d0KdG1DcDuMNIYMWzIUnVVHu2P ''; }; }; @@ -426,11 +447,12 @@ in { owner = config.krebs.users.mic92; nets = rec { internet = { - ip4.addr = "131.159.38.191"; - ip6.addr = "2a09:80c0:38::191"; + ip4.addr = "131.159.102.1"; + ip6.addr = "2a09:80c0:102::1"; aliases = [ "bill.i" ]; }; retiolum = { + via = internet; addrs = [ config.krebs.hosts.bill.nets.retiolum.ip4.addr config.krebs.hosts.bill.nets.retiolum.ip6.addr @@ -465,6 +487,7 @@ in { aliases = [ "nardole.i" ]; }; retiolum = { + via = internet; addrs = [ config.krebs.hosts.nardole.nets.retiolum.ip4.addr config.krebs.hosts.nardole.nets.retiolum.ip6.addr @@ -618,6 +641,7 @@ in { FK5qRrQFMRFB8KGV+n3+cx3XCM2q0ZPTNf06N+Usx6vTKLASa/4GaTcbBx+9Dndm mFVWq9JjLa8e65tojzj8PhmgxqaNCf8aKwIDAQAB -----END RSA PUBLIC KEY----- + Ed25519PublicKey = oRGc9V9G9GFsY1bZIaJamoDEAZU2kphlpxXOMBxI2GN ''; }; }; @@ -640,6 +664,7 @@ in { jb+EGlT/vq3+oGNFJ7Shy/VsR5GLDoZ5KCsT45DM87lOjGB7m+bOdizZQtWmJtC/ /btEPWJPAD9lIY2iGtPrmeMWDNTW9c0iCwIDAQAB -----END RSA PUBLIC KEY----- + Ed25519PublicKey = dzjT09UeUGJCbUFrBo+FtbnXrsxFQnmqmJw7tjpJQJL ''; }; }; diff --git a/krebs/3modules/lass/default.nix b/krebs/3modules/lass/default.nix index cb68cff18..b19e2e6fc 100644 --- a/krebs/3modules/lass/default.nix +++ b/krebs/3modules/lass/default.nix @@ -21,6 +21,7 @@ in { "krebsco.de" = '' cache IN A ${nets.internet.ip4.addr} p IN A ${nets.internet.ip4.addr} + c IN A ${nets.internet.ip4.addr} paste IN A ${nets.internet.ip4.addr} prism IN A ${nets.internet.ip4.addr} ''; @@ -65,7 +66,9 @@ in { "prism.r" "cache.prism.r" "cgit.prism.r" + "flix.r" "paste.r" + "c.r" "p.r" "search.r" ]; diff --git a/krebs/5pkgs/override/default.nix b/krebs/5pkgs/override/default.nix index 4cb6a1cb4..c2149ae55 100644 --- a/krebs/5pkgs/override/default.nix +++ b/krebs/5pkgs/override/default.nix @@ -18,6 +18,9 @@ self: super: { "0.9.0" = [ ./flameshot/flameshot_imgur_0.9.0.patch ]; + "0.10.1" = [ + ./flameshot/flameshot_imgur_0.9.0.patch + ]; }.${old.version}; }); diff --git a/krebs/5pkgs/simple/cyberlocker-tools/default.nix b/krebs/5pkgs/simple/cyberlocker-tools/default.nix new file mode 100644 index 000000000..6e6563fb1 --- /dev/null +++ b/krebs/5pkgs/simple/cyberlocker-tools/default.nix @@ -0,0 +1,23 @@ +{ pkgs }: +pkgs.symlinkJoin { + name = "cyberlocker-tools"; + paths = [ + (pkgs.writers.writeDashBin "cput" '' + set -efu + path=''${1:-$(hostname)} + path=$(echo "/$path" | sed -E 's:/+:/:') + url=http://c.r$path + + ${pkgs.curl}/bin/curl -fSs --data-binary @- "$url" + echo "$url" + '') + (pkgs.writers.writeDashBin "cdel" '' + set -efu + path=$1 + path=$(echo "/$path" | sed -E 's:/+:/:') + url=http://c.r$path + + ${pkgs.curl}/bin/curl -f -X DELETE "$url" + '') + ]; +} diff --git a/krebs/5pkgs/simple/htgen-cyberlocker/default.nix b/krebs/5pkgs/simple/htgen-cyberlocker/default.nix new file mode 100644 index 000000000..515ea3cf9 --- /dev/null +++ b/krebs/5pkgs/simple/htgen-cyberlocker/default.nix @@ -0,0 +1,29 @@ +with import <stockholm/lib>; +{ pkgs, stdenv }: +stdenv.mkDerivation rec { + pname = "htgen-cyberlocker"; + version = "1.0.0"; + + src = ./src; + + buildPhase = '' + ( + exec > htgen-cyberlocker + echo PATH=${makeBinPath [ + pkgs.coreutils + pkgs.file + pkgs.findutils + pkgs.gnugrep + pkgs.jq + pkgs.nix + pkgs.utillinux + ]} + echo STATEDIR=${shell.escape "\${STATEDIR-$HOME}"} + cat $src/htgen-cyberlocker + ) + ''; + + installPhase = '' + install -D htgen-cyberlocker $out/bin/htgen-cyberlocker + ''; +} diff --git a/krebs/5pkgs/simple/htgen-cyberlocker/src/htgen-cyberlocker b/krebs/5pkgs/simple/htgen-cyberlocker/src/htgen-cyberlocker new file mode 100644 index 000000000..ab9c4e8e3 --- /dev/null +++ b/krebs/5pkgs/simple/htgen-cyberlocker/src/htgen-cyberlocker @@ -0,0 +1,76 @@ +delete_response() { + jq -n -r \ + --arg server "$Server" \ + ' + [ "HTTP/1.1 204 OK\r" + , "Connection: close\r" + , "Server: \($server)\r" + , "\r" + ][] + ' +} + +file_response() {( + type=$(file -ib "$1") + size=$(wc -c < "$1") + jq -n -r \ + --arg type "$type" \ + --arg size "$size" \ + --arg server "$Server" \ + ' + [ "HTTP/1.1 200 OK\r" + , "Connection: close\r" + , "Content-Length: \($size)\r" + , "Content-Type: \($type)\r" + , "Server: \($server)\r" + , "\r" + ][] + ' + cat "$1" +)} + +read_uri() { + jq -cn --arg uri "$1" ' + $uri | + capture("^((?<scheme>[^:]*):)?(//(?<authority>[^/]*))?(?<path>[^?#]*)([?](?<query>[^#]*))?([#](?<fragment>.*))?$") | + . + { + query: (.query | if . != null then + split("&") | + map(split("=") | {key:.[0],value:.[1]}) | + from_entries + else . end) + } + ' +} + +uri=$(read_uri "$Request_URI") +path=$(jq -nr --argjson uri "$uri" '$uri.path') + +case "$Method $path" in + 'POST /'*|'PUT /'*) + content=$(mktemp -t htgen.$$.content.XXXXXXXX) + trap "rm $content >&2" EXIT + + head -c $req_content_length > $content + + item=$STATEDIR/items/$(echo "$path" | jq -rR @uri) + + mkdir -v -p $STATEDIR/items >&2 + cp -v $content $item >&2 + exit + ;; + 'GET /'*) + item=$STATEDIR/items/$(echo "$path" | jq -rR @uri) + if [ -e "$item" ]; then + file_response "$item" + exit + fi + ;; + 'DELETE /'*) + item=$STATEDIR/items/$(echo "$path" | jq -rR @uri) + if [ -e "$item" ]; then + rm "$item" + delete_response + exit + fi +esac diff --git a/krebs/nixpkgs-unstable.json b/krebs/nixpkgs-unstable.json index 967f0b426..d0d3cd82d 100644 --- a/krebs/nixpkgs-unstable.json +++ b/krebs/nixpkgs-unstable.json @@ -1,9 +1,9 @@ { "url": "https://github.com/NixOS/nixpkgs", - "rev": "dd14e5d78e90a2ccd6007e569820de9b4861a6c2", - "date": "2021-07-24T08:14:16-04:00", - "path": "/nix/store/0z5nrrjzmjcicjhhdrqb9vgm56zxysk3-nixpkgs", - "sha256": "1zmhwx1qqgl1wrrb9mjkck508887rldrnragvximhd7jrh1ya3fb", + "rev": "8d8a28b47b7c41aeb4ad01a2bd8b7d26986c3512", + "date": "2021-08-29T22:49:37+08:00", + "path": "/nix/store/vg29bg0awqam80djwz68ym0awvasrw6i-nixpkgs", + "sha256": "1s29nc3ppsjdq8kgbh8pc26xislkv01yph58xv2vjklkvsmz5pzm", "fetchSubmodules": false, "deepClone": false, "leaveDotGit": false diff --git a/krebs/nixpkgs.json b/krebs/nixpkgs.json index 5086b8af3..92ce9aa90 100644 --- a/krebs/nixpkgs.json +++ b/krebs/nixpkgs.json @@ -1,9 +1,9 @@ { "url": "https://github.com/NixOS/nixpkgs", - "rev": "91903ceb294dbe63a696759bfba3d23ee667f2dc", - "date": "2021-07-26T09:21:28+02:00", - "path": "/nix/store/2v649741xdh1crybi2dm879bl60zrkhf-nixpkgs", - "sha256": "1hmpwi27r4q0lnspg7ylfzxakwz2fhl3r07vjvq5yalcdqwiain3", + "rev": "74d017edb6717ad76d38edc02ad3210d4ad66b96", + "date": "2021-08-27T16:58:49+02:00", + "path": "/nix/store/82jg1p0rlf7mkryjpdn0z6b95q4i9lnq-nixpkgs", + "sha256": "0wvz41izp4djzzr0a6x54hcm3xjr51nlj8vqghfgyrjpk8plyk4s", "fetchSubmodules": false, "deepClone": false, "leaveDotGit": false diff --git a/lass/1systems/prism/config.nix b/lass/1systems/prism/config.nix index 89a386139..421afab2a 100644 --- a/lass/1systems/prism/config.nix +++ b/lass/1systems/prism/config.nix @@ -305,6 +305,12 @@ with import <stockholm/lib>; localAddress = "10.233.2.14"; }; + services.nginx.virtualHosts."flix.r" = { + locations."/".extraConfig = '' + proxy_pass http://10.233.2.14:80/; + proxy_set_header Accept-Encoding ""; + ''; + }; services.nginx.virtualHosts."lassul.us" = { locations."^~ /flix/".extraConfig = '' if ($scheme != "https") { @@ -379,7 +385,58 @@ with import <stockholm/lib>; mountdPort = 4002; statdPort = 4000; }; + + services.samba = { + enable = true; + enableNmbd = false; + extraConfig = '' + workgroup = WORKGROUP + netbios name = PRISM + server string = ${config.networking.hostName} + # only allow retiolum addresses + hosts allow = 42::/16 10.243.0.0/16 + + # Use sendfile() for performance gain + use sendfile = true + + # No NetBIOS is needed + disable netbios = true + + # Only mangle non-valid NTFS names, don't care about DOS support + mangled names = illegal + + # Performance optimizations + socket options = TCP_NODELAY IPTOS_LOWDELAY SO_RCVBUF=65536 SO_SNDBUF=65536 + + # Disable all printing + load printers = false + disable spoolss = true + printcap name = /dev/null + + map to guest = Bad User + max log size = 50 + dns proxy = no + security = user + + [global] + syslog only = yes + ''; + shares.public = { + comment = "Warez"; + path = "/export"; + public = "yes"; + "only guest" = "yes"; + "create mask" = "0644"; + "directory mask" = "2777"; + writable = "no"; + printable = "no"; + }; + }; + krebs.iptables.tables.filter.INPUT.rules = [ + # smbd + { predicate = "-i retiolum -p tcp --dport 445"; target = "ACCEPT"; } + { predicate = "-i retiolum -p tcp --dport 111"; target = "ACCEPT"; } { predicate = "-i retiolum -p udp --dport 111"; target = "ACCEPT"; } { predicate = "-i retiolum -p tcp --dport 2049"; target = "ACCEPT"; } diff --git a/lass/1systems/yellow/config.nix b/lass/1systems/yellow/config.nix index 178a5adf1..dc3b4b566 100644 --- a/lass/1systems/yellow/config.nix +++ b/lass/1systems/yellow/config.nix @@ -164,7 +164,7 @@ with import <stockholm/lib>; client dev tun proto udp - remote 91.207.172.77 1194 + remote 196.240.57.43 1194 resolv-retry infinite remote-random nobind diff --git a/lass/2configs/paste.nix b/lass/2configs/paste.nix index 0cf62ec0b..68a55c71c 100644 --- a/lass/2configs/paste.nix +++ b/lass/2configs/paste.nix @@ -2,6 +2,18 @@ with import <stockholm/lib>; { + services.nginx.virtualHosts.cyberlocker = { + serverAliases = [ "c.r" ]; + locations."/".extraConfig = '' + client_max_body_size 4G; + proxy_set_header Host $host; + proxy_pass http://127.0.0.1:${toString config.krebs.htgen.cyberlocker.port}; + ''; + extraConfig = '' + add_header 'Access-Control-Allow-Origin' '*'; + add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS'; + ''; + }; services.nginx.virtualHosts.paste = { serverAliases = [ "p.r" ]; locations."/".extraConfig = '' @@ -19,6 +31,26 @@ with import <stockholm/lib>; proxy_pass http://127.0.0.1:${toString config.krebs.htgen.imgur.port}; proxy_pass_header Server; ''; + extraConfig = '' + add_header 'Access-Control-Allow-Origin' '*'; + add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS'; + ''; + }; + services.nginx.virtualHosts."c.krebsco.de" = { + enableACME = true; + addSSL = true; + serverAliases = [ "c.krebsco.de" ]; + locations."/".extraConfig = '' + if ($request_method != GET) { + return 403; + } + proxy_set_header Host $host; + proxy_pass http://127.0.0.1:${toString config.krebs.htgen.cyberlocker.port}; + ''; + extraConfig = '' + add_header 'Access-Control-Allow-Origin' '*'; + add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS'; + ''; }; services.nginx.virtualHosts."p.krebsco.de" = { enableACME = true; @@ -39,6 +71,10 @@ with import <stockholm/lib>; proxy_pass http://127.0.0.1:${toString config.krebs.htgen.imgur.port}; proxy_pass_header Server; ''; + extraConfig = '' + add_header 'Access-Control-Allow-Origin' '*'; + add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS'; + ''; }; krebs.htgen.paste = { @@ -58,6 +94,12 @@ with import <stockholm/lib>; (. ${pkgs.htgen-imgur}/bin/htgen-imgur) ''; }; + krebs.htgen.cyberlocker = { + port = 7772; + script = /* sh */ '' + (. ${pkgs.htgen-cyberlocker}/bin/htgen-cyberlocker) + ''; + }; krebs.iptables.tables.filter.INPUT.rules = [ { predicate = "-i retiolum -p tcp --dport 80"; target = "ACCEPT";} ]; |